CVE-2025-22092

Clean up when virtfn setup fails to prevent NULL pointer dereference during device removal. The kernel oops below occurred due to incorrect error handling flow when pcisetupdevice() fails.

Add pciiovscandevice(), which handles virtfn allocation and setup and cleans up if pcisetupdevice() fails, so pciiovaddvirtfn() doesn't need to call pcistopandremovebus_device(). This prevents accessing partially initialized virtfn devices during removal.

BUG: kernel NULL pointer dereference, address: 00000000000000d0 RIP: 0010:devicedel+0x3d/0x3d0 Call Trace: pciremovebusdevice+0x7c/0x100 pciiovaddvirtfn+0xfa/0x200 sriovenable+0x208/0x420 mlx5coresriovconfigure+0x6a/0x160 [mlx5core] sriovnumvfsstore+0xae/0x1a0

[bhelgaas: commit log, return ERR_PTR(-ENOMEM) directly]

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

e3f30d563a388220a7c4e3b9a7b52ac0b0324b26

Fixed

ef421b4d206f0d3681804b8f94f06a8458a53aaf

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

e3f30d563a388220a7c4e3b9a7b52ac0b0324b26

Fixed

c67a233834b778b8c78f8b62c072ccf87a9eb6d0

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

e3f30d563a388220a7c4e3b9a7b52ac0b0324b26

Fixed

04d50d953ab46d96b0b32d5ad955fceaa28622db

Affected versions

v6.*

v6.12

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.13.1

v6.13.10

v6.13.2

v6.13.3

v6.13.4

v6.13.5

v6.13.6

v6.13.7

v6.13.8

v6.13.9

v6.14

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.14-rc7

v6.14.1

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.13.11

Type: ECOSYSTEM
Events: Introduced

6.14.0

Fixed

6.14.2